“Sensitive Data” clause in Bitbucket's Customer Agreement

Question

I'm using Bitbucket for a few projects, but as of April 28, 2014 they will replace their End User Agreement with a new Customer Agreement. The new agreement mentions in 7.7.2: "You will not submit to the Hosted Services ... any personally identifiable information" One of my projects clearly contains such information, and I'm now trying to figure out what to do. These are the three possible options I could come up with:

1. I may keep all existing projects and continue to work with them, as long as no new patch involves sensitive data. This is under the assumption that what I have done so far has been in accordance with the current agreement, and that the new agreement only concerns information submitted after April 28.

2. I have to remove that particular project, but may keep the others. This seems likely if 7.4 in the new agreement means that any data that have been submitted to the "Hosted Services" will be treated equally, regardless of under which agreement it was submitted: "Your Data" means any data, content, code, video, images or other materials of any type that you upload, submit or otherwise transmit to or through Hosted Services.

3. I have to terminate the agreement, and thus remove my account and all of my projects. This is a possible interpretation if the continuation of 7.4, about the company's right to "collect, use, copy, store, transmit, modify and create derivative works of Your Data", means that they can still do whatever they want, even with data that were submitted under the terms of an older agreement and have since then been removed.

Answer 1

The answer is that you should comply with your understanding of the agreement, which means you have to choose one of those options. You seem to have a good understanding, and if you go ahead and comply you most likely don't need a lawyer to tell you so.

If you plan to keep using the service, and if you get paid for doing it and/or you may cause harm to anyone, then you must get competent legal advice. That won't protect you, but it will tell you how bad the risks are.

To add one option: you could encrypt the data. If it uses strong encryption and you absolutely do not part with the keys (you keep them personally and in a safe place) then you should be safe. You might still want to get legal advice.

Bear in mind that this change in the agreement is probably a coded signal that the company is being required to hand over its data to a government body (the NSA for example). If you keep using the service, and particularly if you encrypt the data, you may yourself get a visit from someone in a suit and tie. If that happens, it will probably be too late to ask for advice.

Answer 2

I think it means that you need to remove the project and or the personally identifiable information from the project.

On option 1 what is the point of having source code hosted somewhere if you can't update it? I don't think number 3 (terminating your account) is necessary, though as there is a reason this a change to the terms of use. The new terms of use were not in effect and you had not agreed to them when you checked in personally identifiable information.

I have to ask though, who do you dislike so much as to store their personal information unencrypted on a third party server that you have no control over?

On a side note chances are that atlassian's lawyers looked at their legal risk if their servers were compromised and realized that being responsible for personal information in source code repositories was a relatively large risk and not part of their core business model. So it makes sense for them to not want to be in the business of storing that type of information.

Frankly I can't think of a good reason to store personal info in source control outside of perhaps an error report email or similar.